Curse of the HP Software Updater

According to a "highly critical" alert issued by Secunia, the HP Software Update package pre-installed on notebooks contains multiple security holes that can be exploited to disclose certain information or compromise a vulnerable system.

The bug affects any PC with HP Software Update v4.000.009.002 or earlier running on Microsoft Windows.

According to an advisory from Tan Chew Keong, the hacker who discovered and reported the issue to HP, the vulnerabilities were found in the HP HPeDiag ActiveX Controls that are loaded as part of HP Software Update version 3.0.2.991 when the user installs the Windows software suite for HP color LaserJet 2820/2840.

The most serious issue is a stack-based buffer overflow that occurs within the GetXmlFromIni method of the HPeSupportDiags.HPIniFileUtil.1 ActiveX control when creating XML output from an INI input file.

From the alert:

This control is marked "safe-for-scripting" and hence, can be invoked from Internet Explorer. In this method, each Section name that is read from the INI input file is used in an unsafe sprintf() call to construct the XML output. This causes a stack-based buffer when the Section name is overly long. To exploit this vulnerability, the attacker must be able to create a webpage that uses the GetXmlFromIni method to process an INI file that is accessible by the victim. By placing the malicious INI on a publicly accessible Windows shared folder, it is possible for the attacker to trigger this buffer overflow without having to first place the INI file on the victim's system.